k0gen/onion-transit
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
1 Commit 1 Branch 0 Tags
main
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
Mariusz Kogen 60cb88f9a6 Initial commit
2026-02-15 08:14:32 +01:00
src
Initial commit
2026-02-15 08:14:32 +01:00
.gitignore
Initial commit
2026-02-15 08:14:32 +01:00
Cargo.lock
Initial commit
2026-02-15 08:14:32 +01:00
Cargo.toml
Initial commit
2026-02-15 08:14:32 +01:00
config.example.toml
Initial commit
2026-02-15 08:14:32 +01:00
LICENSE
Initial commit
2026-02-15 08:14:32 +01:00
README.md
Initial commit
2026-02-15 08:14:32 +01:00

README.md

Onion-Transit

A centralized Tor proxy daemon that embeds Arti (Rust Tor implementation) and exposes SOCKS5 + optional transparent proxy interfaces for LAN/VPS clients.

What it does

Clients on a local network or VPN delegate Tor circuit building to a single Onion-Transit node instead of running Tor locally. This trades some anonymity guarantees for simplified deployment and lower per-client overhead.

Standard Tor .onion access:

Client (3 hops) → Rendezvous ← Service (3 hops)   = 6 hops total

With Onion-Transit:

Client → LAN → Transit (3 hops) → Rendezvous ← Service (3 hops)

The client's path is a single LAN hop to the Transit node. One Arti instance shares bootstrap, directory cache, and guard nodes across all clients.

Security Warning

Onion-Transit centralizes Tor traffic and can see destination .onion names. Anonymity assumptions differ significantly from Tor Browser.

This tool is designed for:

  • Lab / office / team environments
  • Development and testing
  • VPS gateway for a trusted user group

It is NOT appropriate for: journalists, activists, or scenarios with adversarial threat models.

Deployment Modes

Mode Binds to Use case
gateway 0.0.0.0:1080 Shared SOCKS5 for LAN/VPN clients
app-embedded 127.0.0.1 only Sidecar for a single application

Quick Start

# Build
cargo build --release

# Check config before running
onion-transit config-check --config config.toml

# Start in gateway mode
onion-transit start --config config.toml

# Check runtime status
onion-transit status --json

Configuration

See config.example.toml for all options with documentation.

Key settings:

mode = "gateway"          # or "app-embedded"
trust_domain = "team"     # "lab", "team", or "personal"

[security]
mode = "standard"         # "reduced" requires feature flag + explicit opt-in
allowed_clients = ["10.0.0.0/8", "192.168.0.0/16"]

Transparent Proxy (Linux only)

Build with the tproxy feature and use the separate binary:

cargo build --release --features tproxy

The transparent proxy requires iptables/nftables DNAT/REDIRECT rules. It does not support other interception methods. Example:

iptables -t nat -A OUTPUT -p tcp -d '*.onion' --dport 80 \
  -j REDIRECT --to-ports 9040

Run the dedicated binary (may require elevated privileges):

onion-transit-tproxy --config config.toml

Building

# Standard build (SOCKS5 only)
cargo build --release

# With transparent proxy support
cargo build --release --features tproxy

# With reduced-security mode (DANGER)
cargo build --release --features reduced-security

Connection Profiles

Profile Description
OnionStrict Full 3-hop circuit, stream isolation per destination (default)
OnionFast Reduced isolation, shared circuits where possible
ClearnetDefault Standard Tor exit policy

License

MIT

Reference in New Issue View Git Blame Copy Permalink
Description
A centralized Tor proxy daemon
Readme 90 KiB
Languages
Rust 100%